New
#1
mystery message cant track it down
can someone help please
Attachment 197110
Please repost with more information, including whether the message occurs once during startup or pops up repeatedly.
Ben
Sorry
I should have said, it only comes up once only after a restart, after approx 5-10 seconds......
thanks
strange randomly named folders and executables are often a sign of malware, especially when hidden in AppData (so it's probably a good thing that Windows cannot find it). This isn't really the right forum to deal with that. Perhaps the Mods could move it somewhere more appropriate (General Support?) where @simrick may pick it up.
Please run the BETA log collector and post a zip into this thread.
See the bottom of this webpage:
BSOD - Posting Instructions - Windows 10 Forums
(extract > open)
Use the text and images in this link in case there are any problems running the BETA log collector: (post #5)
DM Log tool problem Solved - Windows 10 Forums
Press the Windows and "R" key simultaneously, type "taskmgr" into the "Run" box and click "OK". When task manager starts, click on the "Startup" tab and look for "etrvdruu.exe". If you find it, right-click it and select "Disable".
Ben
I have to agree with Bree on this one - appears to be some sort of randomly-named executable probably resulting from an infection, and partial infection, or a partially-cleaned infection.
Can you run ADWCleaner and post the logs for us please?
Downloads - AdwCleaner - ToolsLib
The Log Manager is used to give an easy access to all previous logs, including the debug one (which is only shown if the Debug mode is On).
Log files are stored in C:\AdwCleaner\ and the naming format is as follow:
- Scan: AdwCleaner[Sxxx].txt
- Clean: AdwCleaner[Cxxx].txt
- Debug: AdwCleaner_Debug.log
xxx is starting from 0.
Code:adwcleaner log # ------------------------------- # Malwarebytes AdwCleaner 7.2.2.0 # ------------------------------- # Build: 07-17-2018 # Database: 2018-07-25.1 # Support: Customer Support & Help Center | Malwarebytes # # ------------------------------- # Mode: Scan # ------------------------------- # Start: 07-27-2018 # Duration: 00:02:24 # OS: Windows 10 Pro # Scanned: 41737 # Detected: 3 ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** PUP.Optional.Legacy C:\ProgramData\BSD\DriverHiveEngine ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** PUP.Optional.SofTonicAssistant HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\spybot-search-destroy.en.softonic.com PUP.Optional.SofTonicAssistant HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\spybot-search-destroy.en.softonic.com ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries found. ***** [ Chromium URLs ] ***** No malicious Chromium URLs found. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries found. ***** [ Firefox URLs ] ***** No malicious Firefox URLs found. AdwCleaner[S00].txt - [29949 octets] - [26/07/2018 20:04:15] AdwCleaner[C00].txt - [26186 octets] - [26/07/2018 20:04:57] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S01].txt ##########Code:# AdwCleaner 7.0.8.0 - Logfile created on Thu Mar 08 12:37:05 2018 # Updated on 2018/08/02 by Malwarebytes # Running on Windows 10 Pro (X64) # Mode: clean # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** Deleted: c42bb2da869e225c7de8b81fad0d0a1e ***** [ Folders ] ***** Deleted: C:\ProgramData\BSD\DriverHive Deleted: C:\Users\All Users\BSD\DriverHive Deleted: C:\Windows\System32\\SSL Deleted: C:\Windows\SysWOW64\\SSL Deleted: C:\Users\keith\AppData\Roaming\vghd Deleted: C:\ProgramData\BSD\DriverHiveEngine Deleted: C:\Users\All Users\BSD\DriverHiveEngine Deleted: C:\Users\keith\Documents\TotalAV Deleted: C:\Users\keith\AppData\Local\AdService Deleted: C:\Users\keith\AppData\Roaming\SystemHealer Deleted: C:\Users\keith\AppData\Roaming\WidModule Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics Deleted: C:\ProgramData\Auslogics Deleted: C:\Program Files (x86)\Auslogics Deleted: C:\Users\All Users\Auslogics ***** [ Files ] ***** No malicious files deleted. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks deleted. ***** [ Registry ] ***** Deleted: [Key] - HKLM\SOFTWARE\Yahoo\Companion Deleted: [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\Yahoo\Companion Deleted: [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\AppDataLow\Software\Yahoo\Companion Deleted: [Key] - HKCU\Software\Yahoo\Companion Deleted: [Key] - HKCU\Software\AppDataLow\Software\Yahoo\Companion Deleted: [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\Yahoo\YFriendsBar Deleted: [Key] - HKCU\Software\Yahoo\YFriendsBar Deleted: [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\DC3_FEXEC Deleted: [Key] - HKCU\Software\DC3_FEXEC Deleted: [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\C84E Deleted: [Key] - HKCU\Software\C84E Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Deleted: [Value] - HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks|{EF99BD32-C1FB-11D2-892F-0090271D4F88} Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|AnonymizerGadget Deleted: [Key] - HKLM\SOFTWARE\BSD Deleted: [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\BSD Deleted: [Key] - HKCU\Software\BSD Deleted: [Key] - HKLM\SOFTWARE\BSD Deleted: [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\BSD Deleted: [Key] - HKCU\Software\BSD Deleted: [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\Genius Deleted: [Key] - HKCU\Software\Genius Deleted: [Key] - HKLM\SOFTWARE\Auslogics Deleted: [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\SetupCompany Deleted: [Key] - HKCU\Software\SetupCompany Deleted: [Key] - HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.totalav.passwordvaultassistant Deleted: [Key] - HKLM\SOFTWARE\Mozilla\NativeMessagingHosts\com.totalav.passwordvaultassistant ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries deleted. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries deleted. ************************* ::Tracing keys deleted ::Winsock settings cleared ::Additional Actions: 0 ************************* C:/AdwCleaner/AdwCleaner[S0].txt - [4492 B] - [2018/3/8 12:36:45] ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########Code:# AdwCleaner 7.0.8.0 - Logfile created on Thu Mar 08 12:36:45 2018 # Updated on 2018/08/02 by Malwarebytes # Database: 2018-03-07.2 # Running on Windows 10 Pro (X64) # Mode: scan # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** PUP.Adware.Heuristic, c42bb2da869e225c7de8b81fad0d0a1e ***** [ Folders ] ***** PUP.Optional.TweakBit, C:\ProgramData\BSD\DriverHive PUP.Optional.TweakBit, C:\Users\All Users\BSD\DriverHive PUP.Optional.Legacy, C:\Windows\System32\SSL PUP.Optional.Legacy, C:\Windows\SysWOW64\SSL PUP.Optional.Legacy, C:\Users\keith\AppData\Roaming\vghd PUP.Optional.Legacy, C:\ProgramData\BSD\DriverHiveEngine PUP.Optional.Legacy, C:\Users\All Users\BSD\DriverHiveEngine PUP.Optional.Legacy, C:\Users\keith\Documents\TotalAV PUP.Optional.UpService, C:\Users\keith\AppData\Local\AdService PUP.Optional.SystemHealer, C:\Users\keith\AppData\Roaming\SystemHealer Trojan.Agent, C:\Users\keith\AppData\Roaming\WidModule PUP.Optional.AuslogicsDriverUpdater, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics PUP.Optional.AuslogicsDriverUpdater, C:\ProgramData\Auslogics PUP.Optional.AuslogicsDriverUpdater, C:\Program Files (x86)\Auslogics PUP.Optional.AuslogicsDriverUpdater, C:\Users\All Users\Auslogics ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Yahoo\Companion PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\Yahoo\Companion PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\AppDataLow\Software\Yahoo\Companion PUP.Optional.Legacy, [Key] - HKCU\Software\Yahoo\Companion PUP.Optional.Legacy, [Key] - HKCU\Software\AppDataLow\Software\Yahoo\Companion PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\Yahoo\YFriendsBar PUP.Optional.Legacy, [Key] - HKCU\Software\Yahoo\YFriendsBar PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\DC3_FEXEC PUP.Optional.Legacy, [Key] - HKCU\Software\DC3_FEXEC PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\C84E PUP.Optional.Legacy, [Key] - HKCU\Software\C84E PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} PUP.Optional.Legacy, [Value] - HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks | {EF99BD32-C1FB-11D2-892F-0090271D4F88} PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} PUP.Optional.Legacy, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 | AnonymizerGadget PUP.Optional.DriverUpdatePlus, [Key] - HKLM\SOFTWARE\BSD PUP.Optional.DriverUpdatePlus, [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\BSD PUP.Optional.DriverUpdatePlus, [Key] - HKCU\Software\BSD PUP.Optional.Auslogics, [Key] - HKLM\SOFTWARE\BSD PUP.Optional.Auslogics, [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\BSD PUP.Optional.Auslogics, [Key] - HKCU\Software\BSD PUP.Optional.ShopGenius, [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\Genius PUP.Optional.ShopGenius, [Key] - HKCU\Software\Genius PUP.Optional.AuslogicsDriverUpdater, [Key] - HKLM\SOFTWARE\Auslogics PUP.Optional.AdService, [Key] - HKU\S-1-5-21-1181102942-2369810405-3602532389-1001\Software\SetupCompany PUP.Optional.AdService, [Key] - HKCU\Software\SetupCompany PUP.Optional.TotalAV, [Key] - HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.totalav.passwordvaultassistant PUP.Optional.TotalAV, [Key] - HKLM\SOFTWARE\Mozilla\NativeMessagingHosts\com.totalav.passwordvaultassistant ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries. ************************* ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########
When available please post the BETA log collector zip for troubleshooting.
Thanks for the logs. In my opinion:
Please remove and/or keep off the system:
TweakBit Driver Updater
Auslogics
Yahoo Companions/YFriendsBar
Total AV has also been removed. (If ADWCleaner/Malwarebytes doesn't like it, neither do I.)
Is the error still showing after a reboot?
You might have a read here, and see if there is a task of the error file you can delete.
Scheduled Tasks - Malwarebytes Labs | Malwarebytes Labs
.
Also, if it's still showing on reboot, perhaps run Malwarebytes Antimalware:
Removal instructions for TweakBit Driver Updater - Malware Removal Self-Help Guides - Malwarebytes Forums
Be sure to check the box to scan for rootkits.